Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

wpwax — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting wpwax. AI-powered Chinese analysis, POCs, and references for each vulnerability.

wpWax is a WordPress plugin framework designed to facilitate the creation of custom themes and plugins, primarily serving developers and agencies seeking to streamline website construction. Its widespread adoption has made it a frequent target for attackers, resulting in thirty-six recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and Privilege Escalation, often stemming from insufficient input validation and improper sanitization of user-supplied data. These flaws typically allow unauthenticated attackers to execute arbitrary code or manipulate administrative functions. While wpWax itself is not inherently malicious, its complex architecture and reliance on third-party extensions have historically introduced significant security risks. Recent patches have addressed critical RCE vectors, yet the high volume of past incidents underscores the necessity for rigorous code auditing and timely updates to mitigate exploitation risks in environments utilizing this framework.

Top products by wpwax: Directorist: AI-Powered Business Directory, Listings & Classified Ads Product Carousel Slider & Grid Ultimate for WooCommerce Legal Pages Directorist Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget Team (WordPress plugin) Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid Post Grid, Slider & Carousel Ultimate Directorist – WordPress Business Directory Plugin with Classified Ads Listings Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator Directorist AddonsKit for Elementor Logo Showcase Ultimate Logo Carousel Slider HelpGent FormGent
CVE IDTitleCVSSSeverityPublished
CVE-2026-39509 WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability — DirectoristCWE-862 5.3 Medium2026-04-08
CVE-2026-22460 WordPress FormGent plugin <= 1.7.0 - Arbitrary File Deletion vulnerability — FormGentCWE-22 8.6 High2026-03-05
CVE-2025-68069 WordPress Directorist plugin <= 8.6.6 - Broken Access Control vulnerability — DirectoristCWE-862 7.1 High2026-02-20
CVE-2025-64250 WordPress Directorist plugin <= 8.6.6 - Open Redirection vulnerability — DirectoristCWE-601 4.7 Medium2025-12-16
CVE-2025-66077 WordPress Legal Pages plugin <= 1.4.6 - Broken Access Control vulnerability — Legal PagesCWE-862 5.3 Medium2025-11-21
CVE-2025-12174 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.5.2 - Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-862 6.5 Medium2025-11-19
CVE-2025-10488 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 - Authenticated (Subscriber+) Arbitrary File Move — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-22 8.1 High2025-10-25
CVE-2025-48242 WordPress Legal Pages plugin <= 1.4.5 - Broken Access Control Vulnerability — Legal PagesCWE-862 6.5 Medium2025-05-19
CVE-2025-32658 WordPress HelpGent plugin <= 2.2.5 - PHP Object Injection vulnerability — HelpGentCWE-502 9.8 Critical2025-04-17
CVE-2025-39525 WordPress Logo Carousel Slider plugin <= 2.1.3 - Cross Site Scripting (XSS) Vulnerability — Logo Carousel SliderCWE-79 6.5 Medium2025-04-16
CVE-2025-32499 WordPress Logo Showcase Ultimate plugin <= 1.4.4 - Local File Inclusion vulnerability — Logo Showcase UltimateCWE-98 6.5 Medium2025-04-09
CVE-2025-31857 WordPress Directorist AddonsKit for Elementor plugin <= 1.1.6 - Cross Site Scripting (XSS) vulnerability — Directorist AddonsKit for ElementorCWE-79 6.5 Medium2025-04-01
CVE-2025-2224 Directorist <= 8.2 - Missing Authorization to Unauthenticated Arbitrary Post Publishing — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-862 5.3 Medium2025-03-25
CVE-2025-1570 Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-640 8.1 High2025-02-28
CVE-2024-12041 Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings <= 8.0.12 - Unauthenticated User Information Exposure — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-359 5.3 Medium2025-02-01
CVE-2025-24782 WordPress Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin <= 1.6.10 - Local File Inclusion vulnerability — Post Grid, Slider & Carousel UltimateCWE-98 6.5 Medium2025-01-27
CVE-2025-24681 WordPress Product Carousel Slider & Grid Ultimate for WooCommerce Plugin <= 1.10.0 - Cross Site Scripting (XSS) vulnerability — Product Carousel Slider & Grid Ultimate for WooCommerceCWE-79 5.9 Medium2025-01-24
CVE-2024-13408 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion — Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor WidgetCWE-98 7.5 High2025-01-24
CVE-2024-13409 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler() — Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor WidgetCWE-22 7.5 High2025-01-24
CVE-2024-12040 Product Carousel Slider & Grid Ultimate for WooCommerce <= 1.9.10 - Authenticated (Contributor+) Local File Inclusion via 'theme' — Product Carousel Slider & Grid Ultimate for WooCommerceCWE-98 8.8 High2024-12-12
CVE-2024-44048 WordPress Product Carousel Slider & Grid Ultimate for WooCommerce plugin <= 1.9.10 - Authenticated Local File Inclusion vulnerability — Product Carousel Slider & Grid Ultimate for WooCommerceCWE-98 6.5 Medium2024-09-23
CVE-2024-8046 Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid <= 1.4.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload — Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo GridCWE-79 6.4 Medium2024-08-27
CVE-2024-33929 WordPress Directorist plugin <= 7.8.6 - Broken Access Control vulnerability — DirectoristCWE-862 5.3 Medium2024-05-03
CVE-2024-32451 WordPress Legal Pages plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) vulnerability — Legal PagesCWE-352 4.3 Medium2024-04-15
CVE-2024-29925 WordPress Post Grid, Slider & Carousel Ultimate plugin <= 1.6.6 - Cross Site Scripting (XSS) vulnerability — Post Grid, Slider & Carousel UltimateCWE-79 6.5 Medium2024-03-27
CVE-2023-50886 WordPress Legal Pages plugin <= 1.3.7 - CSRF + Broken Access Control vulnerability — Legal PagesCWE-352 4.3 Medium2024-03-15
CVE-2024-1950 Product Carousel Slider & Grid Ultimate for WooCommerce <= 1.9.7 - Authenticated(Contributor+) PHP Object Injection — Product Carousel Slider & Grid Ultimate for WooCommerceCWE-502 7.5 High2024-03-13
CVE-2024-1951 Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid <= 1.3.8 - Authenticated(Contributor+) PHP Object Injection — Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo GridCWE-502 7.5 High2024-03-13
CVE-2024-2006 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.7 - Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup — Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor WidgetCWE-502 8.8 High2024-03-13
CVE-2024-1322 Directorist <= 7.8.4 - Missing Authorization to Unauthenticated Settings Change — Directorist: AI-Powered Business Directory, Listings & Classified AdsCWE-862 5.3 Medium2024-02-20

This page lists every published CVE security advisory associated with wpwax. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.